{ "type": "URL", "indicator": "https://sewermanplumbing.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sewermanplumbing.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3901793345, "indicator": "https://sewermanplumbing.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "682bc2458ba622cc1ce0fe31", "name": "hxxps://astromust[.]com - alleged group of Canadian *Hackers* - 05.19.25", "description": "Quick Peak into hxxps://astromust[.]com - alleged group of Canadian *Hackers* - 05.19.25\n-->> Just gotta Graph it out // Add some names // all that jazz\nAstromust is a mobile game set in an intergalactic world, where players are pitted against each other in a race to the moon, and the ultimate space adventure game is on offer.", "modified": "2025-06-20T16:02:07.802000", "created": "2025-05-19T23:44:05.771000", "tags": [ "astromust", "multi universal", "space team", "ai team", "astrostation", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "etmodules", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "prefetch8 ansi", "date", "show process", "ansi", "threat level", "hash seen", "pcap processing", "pcap", "sha256", "command decode", "suspicious", "hybrid", "comspec", "starfield", "close", "click", "hosts", "general", "path", "model", "encrypt", "strings", "contact", "ip location", "osint verdict", "javascript", "technology", "domain status", "server", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "UAlberta" ], "references": [ "https://www.filescan.io/uploads/682bbaad0de036ed65ac2b71/reports/331527e9-620a-4de4-8453-ae192d8fa4a0/overview", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b", "https://opentip.kaspersky.com/https%3A%2F%2Fastromust.com/?tab=lookup", "https://metadefender.com/results/url/aHR0cHM6Ly9hc3Ryb211c3QuY29t", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b/682bbc44b7f58e83f50c9316", "https://www.virustotal.com/gui/domain/astromust.com/relations", "https://www.virustotal.com/gui/domain/astromust.com/details", "https://polyswarm.network/scan/results/url/b90bd2fbc0b269c2355b17ce439872ce2795d5d297c2321c704c451293830887", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23/iocs", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23", "https://www.virustotal.com/graph/embed/gd3d17be766b04b91a5de8ddd5b16415eb8efe15309a14f5f9584649fd216ca12?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [ { "id": "AstroStation", "display_name": "AstroStation", "target": null } ], "attack_ids": [ { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Telecommunications", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 70, "FileHash-SHA256": 801, "URL": 421, "domain": 473, "hostname": 237, "FileHash-MD5": 64, "SSLCertFingerprint": 17, "email": 6 }, "indicator_count": 2089, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6663311a8c529069bb34a06f", "name": "Injection | Win.Worm.Mydoom | Ransomware | Android Device attack", "description": "Android device, remotely modified, hidden users, 'zombie' device, targeting, framing, unknown admin.", "modified": "2024-07-07T15:00:25.739000", "created": "2024-06-07T16:11:06.485000", "tags": [ "november", "threat roundup", "axelo", "atkafij0", "referrer", "historical ssl", "dynamicloader", "write c", "yara rule", "delete c", "ms windows", "medium", "yara detections", "show", "search", "united", "write", "copy", "create c", "read c", "flashpix", "high", "template", "persistence", "execution", "next", "unknown", "shared address", "html info", "title rfc", "ipv4 prefix", "space meta", "tags", "prefix", "space", "script tags", "anchor hrefs", "sha256", "vhash", "ssdeep", "html internet", "magic html", "ascii text", "magika html", "file size", "internet", "iana", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "iana special", "detections type", "name", "win32 exe", "runresdll", "android", "trojan", "files", "installer", "10357", "javascript", "malibot", "pe32", "intel", "linux x8664", "khtml", "win32", "process32nextw", "discovery", "discovery t1057", "t1057", "t1045", "memcommit", "regopenkeyexw", "regsetvalueexa", "writeconsolea", "minute tr", "highest f", "regdword", "del f", "start", "memreserve", "dock" ], "references": [ "http://tools.ietf.org/html/rfc6598 | Found in android device| Block: 100:116.200.0/? [Special Use /Non - IANA]", "AV Detection: Win.Downloader.68062-1 | Yara Detections: MS_Visual_Basic_6_0 , Cabinet_Archive", "High Priority Alerts: dead_host network_icmp dumped_buffer2 nolookup_communication modifies_certificates", "Alerts: dumped_buffer network_http allocates_rwx antisandbox_sleep antivm_disk_size exe_appdata antivm_network_adapters privilege_luid_check", "Alerts: antivm_queries_computername checks_debugger recon_fingerprint antivm_memory_available", "Image: https://otx.alienvault.com/otxapi/indicators/file/screenshot/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811", "https://otx.alienvault.com/indicator/file/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811 [Win.Downloader.68062-1]", "https://otx.alienvault.com/indicator/file/0000374bffccbcd54ea9a1c51514b671a8caf732ef3bef2cc8cccd4bf01665cf [Win.Worm.Mydoom-5]", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX", "High Priority Alerts: procmem_yara network_bind persistence_autorun", "Alerts: dynamic_function_loading powershell_download reads_self suspicious_tld dead_connect", "buildbot.tools.ietf.org [Win32:Malware-gen]", "Yara Detections: MS_Visual_Cpp_2008 | High Priority Alerts: dead_host network_icmp", "Priority Alerts: dumped_buffer network_http suspicious_tld allocates_rwx creates_exe exe_appdata antivm_network_adapters pe_features", "Yara: Detections Skype User-Agent detected, LZMA" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Downloader.68062-1", "display_name": "Win.Downloader.68062-1", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Hera.A!bit", "display_name": "Backdoor:Win32/Hera.A!bit", "target": "/malware/Backdoor:Win32/Hera.A!bit" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 318, "FileHash-SHA256": 1929, "URL": 1885, "hostname": 1600, "domain": 1380, "email": 7, "SSLCertFingerprint": 40 }, "indicator_count": 7509, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "693 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/indicator/file/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811 [Win.Downloader.68062-1]", "High Priority Alerts: procmem_yara network_bind persistence_autorun", "https://otx.alienvault.com/indicator/file/0000374bffccbcd54ea9a1c51514b671a8caf732ef3bef2cc8cccd4bf01665cf [Win.Worm.Mydoom-5]", "buildbot.tools.ietf.org [Win32:Malware-gen]", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "https://www.virustotal.com/gui/domain/astromust.com/details", "https://www.filescan.io/uploads/682bbaad0de036ed65ac2b71/reports/331527e9-620a-4de4-8453-ae192d8fa4a0/overview", "Alerts: dumped_buffer network_http allocates_rwx antisandbox_sleep antivm_disk_size exe_appdata antivm_network_adapters privilege_luid_check", "Yara Detections: MS_Visual_Cpp_2008 | High Priority Alerts: dead_host network_icmp", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b/682bbc44b7f58e83f50c9316", "https://metadefender.com/results/url/aHR0cHM6Ly9hc3Ryb211c3QuY29t", "High Priority Alerts: dead_host network_icmp dumped_buffer2 nolookup_communication modifies_certificates", "https://opentip.kaspersky.com/https%3A%2F%2Fastromust.com/?tab=lookup", "Priority Alerts: dumped_buffer network_http suspicious_tld allocates_rwx creates_exe exe_appdata antivm_network_adapters pe_features", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "Alerts: dynamic_function_loading powershell_download reads_self suspicious_tld dead_connect", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23/iocs", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23", "Image: https://otx.alienvault.com/otxapi/indicators/file/screenshot/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811", "Yara: Detections Skype User-Agent detected, LZMA", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://polyswarm.network/scan/results/url/b90bd2fbc0b269c2355b17ce439872ce2795d5d297c2321c704c451293830887", "http://tools.ietf.org/html/rfc6598 | Found in android device| Block: 100:116.200.0/? [Special Use /Non - IANA]", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b", "https://www.virustotal.com/gui/domain/astromust.com/relations", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "Alerts: antivm_queries_computername checks_debugger recon_fingerprint antivm_memory_available", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "AV Detection: Win.Downloader.68062-1 | Yara Detections: MS_Visual_Basic_6_0 , Cabinet_Archive", "https://www.virustotal.com/graph/embed/gd3d17be766b04b91a5de8ddd5b16415eb8efe15309a14f5f9584649fd216ca12?theme=dark" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.worm.mydoom-5", "Backdoor:win32/hera.a!bit", "Win.downloader.68062-1", "Astrostation", "Win32:trojan-gen" ], "industries": [ "Telecommunications", "Healthcare", "Technology", "Government", "Education" ], "unique_indicators": 15880 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sewermanplumbing.com", "whois": "http://whois.domaintools.com/sewermanplumbing.com", "domain": "sewermanplumbing.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "682bc2458ba622cc1ce0fe31", "name": "hxxps://astromust[.]com - alleged group of Canadian *Hackers* - 05.19.25", "description": "Quick Peak into hxxps://astromust[.]com - alleged group of Canadian *Hackers* - 05.19.25\n-->> Just gotta Graph it out // Add some names // all that jazz\nAstromust is a mobile game set in an intergalactic world, where players are pitted against each other in a race to the moon, and the ultimate space adventure game is on offer.", "modified": "2025-06-20T16:02:07.802000", "created": "2025-05-19T23:44:05.771000", "tags": [ "astromust", "multi universal", "space team", "ai team", "astrostation", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "etmodules", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "prefetch8 ansi", "date", "show process", "ansi", "threat level", "hash seen", "pcap processing", "pcap", "sha256", "command decode", "suspicious", "hybrid", "comspec", "starfield", "close", "click", "hosts", "general", "path", "model", "encrypt", "strings", "contact", "ip location", "osint verdict", "javascript", "technology", "domain status", "server", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "UAlberta" ], "references": [ "https://www.filescan.io/uploads/682bbaad0de036ed65ac2b71/reports/331527e9-620a-4de4-8453-ae192d8fa4a0/overview", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b", "https://opentip.kaspersky.com/https%3A%2F%2Fastromust.com/?tab=lookup", "https://metadefender.com/results/url/aHR0cHM6Ly9hc3Ryb211c3QuY29t", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b/682bbc44b7f58e83f50c9316", "https://www.virustotal.com/gui/domain/astromust.com/relations", "https://www.virustotal.com/gui/domain/astromust.com/details", "https://polyswarm.network/scan/results/url/b90bd2fbc0b269c2355b17ce439872ce2795d5d297c2321c704c451293830887", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23/iocs", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23", "https://www.virustotal.com/graph/embed/gd3d17be766b04b91a5de8ddd5b16415eb8efe15309a14f5f9584649fd216ca12?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [ { "id": "AstroStation", "display_name": "AstroStation", "target": null } ], "attack_ids": [ { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Telecommunications", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 70, "FileHash-SHA256": 801, "URL": 421, "domain": 473, "hostname": 237, "FileHash-MD5": 64, "SSLCertFingerprint": 17, "email": 6 }, "indicator_count": 2089, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6663311a8c529069bb34a06f", "name": "Injection | Win.Worm.Mydoom | Ransomware | Android Device attack", "description": "Android device, remotely modified, hidden users, 'zombie' device, targeting, framing, unknown admin.", "modified": "2024-07-07T15:00:25.739000", "created": "2024-06-07T16:11:06.485000", "tags": [ "november", "threat roundup", "axelo", "atkafij0", "referrer", "historical ssl", "dynamicloader", "write c", "yara rule", "delete c", "ms windows", "medium", "yara detections", "show", "search", "united", "write", "copy", "create c", "read c", "flashpix", "high", "template", "persistence", "execution", "next", "unknown", "shared address", "html info", "title rfc", "ipv4 prefix", "space meta", "tags", "prefix", "space", "script tags", "anchor hrefs", "sha256", "vhash", "ssdeep", "html internet", "magic html", "ascii text", "magika html", "file size", "internet", "iana", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "iana special", "detections type", "name", "win32 exe", "runresdll", "android", "trojan", "files", "installer", "10357", "javascript", "malibot", "pe32", "intel", "linux x8664", "khtml", "win32", "process32nextw", "discovery", "discovery t1057", "t1057", "t1045", "memcommit", "regopenkeyexw", "regsetvalueexa", "writeconsolea", "minute tr", "highest f", "regdword", "del f", "start", "memreserve", "dock" ], "references": [ "http://tools.ietf.org/html/rfc6598 | Found in android device| Block: 100:116.200.0/? [Special Use /Non - IANA]", "AV Detection: Win.Downloader.68062-1 | Yara Detections: MS_Visual_Basic_6_0 , Cabinet_Archive", "High Priority Alerts: dead_host network_icmp dumped_buffer2 nolookup_communication modifies_certificates", "Alerts: dumped_buffer network_http allocates_rwx antisandbox_sleep antivm_disk_size exe_appdata antivm_network_adapters privilege_luid_check", "Alerts: antivm_queries_computername checks_debugger recon_fingerprint antivm_memory_available", "Image: https://otx.alienvault.com/otxapi/indicators/file/screenshot/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811", "https://otx.alienvault.com/indicator/file/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811 [Win.Downloader.68062-1]", "https://otx.alienvault.com/indicator/file/0000374bffccbcd54ea9a1c51514b671a8caf732ef3bef2cc8cccd4bf01665cf [Win.Worm.Mydoom-5]", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX", "High Priority Alerts: procmem_yara network_bind persistence_autorun", "Alerts: dynamic_function_loading powershell_download reads_self suspicious_tld dead_connect", "buildbot.tools.ietf.org [Win32:Malware-gen]", "Yara Detections: MS_Visual_Cpp_2008 | High Priority Alerts: dead_host network_icmp", "Priority Alerts: dumped_buffer network_http suspicious_tld allocates_rwx creates_exe exe_appdata antivm_network_adapters pe_features", "Yara: Detections Skype User-Agent detected, LZMA" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Downloader.68062-1", "display_name": "Win.Downloader.68062-1", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Hera.A!bit", "display_name": "Backdoor:Win32/Hera.A!bit", "target": "/malware/Backdoor:Win32/Hera.A!bit" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 318, "FileHash-SHA256": 1929, "URL": 1885, "hostname": 1600, "domain": 1380, "email": 7, "SSLCertFingerprint": 40 }, "indicator_count": 7509, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "693 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sewermanplumbing.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sewermanplumbing.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780246252.7800171 }